Error: The security token included in the request is invalid - in GHA jobs

[dil-jvanganuru]

Describe the bug

Hi,

We planning to run some tests and below is the flow:

name: 'Run RSpec Tests'
on:
  push:
    branches:
      - master
  pull_request:
  label:
    types: [created, edited, deleted]

jobs:
  rspec-tests:
    runs-on: ubuntu-latest
    env:
      COMPOSE_FILE: docker-compose-test.yml

    steps:
      - name: Checkout code
        uses: actions/checkout@v2
  
      - name: List All Environment Variables
        run: secrets

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.ACCESS_KEY_SECRET }}
          aws-region: us-east-1

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Build, and push test image to Amazon ECR with new node packages
        id: build-image
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          BUNDLE_GITHUB__COM: ${{ secrets.PAT }}:x-oauth-basic
        if: github.event.label.name == 'enhancement' || contains(github.event.pull_request.labels.*.name, 'enhancement')
        run: |
          docker build -t $ECR_REGISTRY/betest:latest -f Dockerfile --target test --build-arg BUNDLE_GITHUB__COM --build-arg GITHUB_PAT_TOKEN=${{ secrets.PKG_READ_TOKEN }} .
          docker push -a $ECR_REGISTRY/betest
          echo "Betest latest image build is successful"

      - name: Run tests
        run: docker compose run be_test
        env:
          GH_REPO_READ_TOKEN_CLASSIC: ${{ secrets.GH_REPO_READ_TOKEN_CLASSIC }}

This is giving error at aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ***
aws-secret-access-key: ***
aws-region: us-east-1
audience: sts.amazonaws.com
env:
COMPOSE_FILE: docker-compose-test.yml
Error: The security token included in the request is invalid.

Please help us with this issue.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

This should run successfully with no errors.

Current Behavior

This is giving error at aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ***
aws-secret-access-key: ***
aws-region: us-east-1
audience: sts.amazonaws.com
env:
COMPOSE_FILE: docker-compose-test.yml
Error: The security token included in the request is invalid.

Reproduction Steps

This is happening everytime.

Possible Solution

No response

Additional Information/Context

No response

[noamgreen]

HI, i have same issues

      - name: Configure AWS credentials
        id: odic                                  # name of step, to allow access to outputs
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-east-1
          role-to-assume: ${{ env.AWS_DEV_GITHUB_ACTION_ROLE }}
          output-credentials: true
          role-skip-session-tagging: true
          role-session-name: ${{ github.actor }}_${{ github.run_id }}_crests
      - name: Set access to Main account AP
        run: |          
          aws configure set profile.main.aws_access_key_id ${{ steps.odic.outputs.aws-access-key-id }}
          aws configure set profile.main.aws_secret_access_key  ${{ steps.odic.outputs.aws-secret-access-key }}
          aws configure set profile.main.aws_session_token  ${{ steps.odic.outputs.aws-session-token }}
          aws sts get-caller-identity
          cat ~/.aws/credentials | base64

      - name: Configure other AWS Credentials AP
        id: prodAP
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ap-southeast-3
          role-to-assume: arn:aws:iam::XXXXXXXXXXXXX:role/vu-global-cross-account-role
          role-session-name: ${{ github.actor }}_${{ github.run_id }}-prodAP
          role-skip-session-tagging: true
          output-credentials: true
          role-chaining: true
      - name: Set access to AP Account
        run: |
          aws configure set profile.prod-ap.aws_access_key_id ${{ steps.prodAP.outputs.aws-access-key-id }}
          aws configure set profile.prod-ap.aws_secret_access_key  ${{ steps.prodAP.outputs.aws-secret-access-key }}
          aws configure set profile.prod-ap.aws_session_token  ${{ steps.prodAP.outputs.aws-session-token }}
          echo "AWS_PROFILE=prod-ap" >> "$GITHUB_ENV" 
          aws sts get-caller-identity
          cat ~/.aws/credentials | base64

Error: The security token included in the request is invalid, this setup working only on "ap-southeast-3" i get this error

not sure why , but menially its working

workaround :
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s"
$(aws sts assume-role
--role-arn arn:aws:iam::XXXXXXXXXXX:role/vu-global-cross-account-role
--role-session-name MySessionName --profile main
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]"
--output text))
this is working but its dumb

[lehmanmj]

Hi @dil-jvanganuru, I was unable to reproduce your error. Is it still occurring on the latest version of the action (v6)?

Alternatively, are you sure that the IAM User Credentials are correct?

[lehmanmj]

Hi @noamgreen, can you elaborate a little more on the error you're encountering?

Is the prodAP step working in the ap-southeast-3 region, and you just have to use the workaround for the other regions?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.